GDPR Compliance

Listen to Article

Europe and much of the world is looking towards a strengthened and unified protection of data for everyone within Europe, especially regarding exporting personal data to countries not in the EU, with GDPR Compliance now an essential consideration for businesses.

The fundamental objective that drives the GDPR is to give back control to individuals as to how their personal data is managed and used. The GDPR brings consistency and conformity of previous and existing European data protection laws.

Requirements for GDPR Compliance

GDPR Compliance results in extensive consequences for organizations and businesses worldwide including countries such as the U.S where Safe Harbor is now invalidated. This means that such U.S. businesses that deal in the exportation and handling of personal data of European individuals will be compelled to comply with the GDPR or suffer the consequences.

Any breaches of data regulations or non-compliance under the GDPR will depend on their severity, but you will need to be aware of actions to remedy such breaches:

Your establishment will be required to notify the relevant GDPR data protection authority together with the owner, individual or individuals whose data has been breached.

Depending on the severity of the breach, there is the likelihood that your establishment may receive a GDPR fine of €20 million or 4% of turnover.

There are some exceptions to this under the GDPR and will be based upon whether there were adequate security measures in place.

Encryption

A security measure to prevent unauthorised access such as encryption that renders data unintelligible will not be required to notify data owners. The likelihood of financial penalties is lessened if you have been subject to a security breach. The GDPR only mentions encryption in passing, but the benefits of encryption with regards to GDPR compliance will be an unavoidable reality to ensure the safekeeping of data.

Basically, encryption turns data into an unintelligible version of data, which can only be decoded by decryption. The actual basis of encryption comes from cryptography same as transactions using the Blockchain model. In view of the GDPR and the question of compliance, the encryption of data whilst not mandatory is a valuable data protection method. The GDPR is not finite, as it will be further developed on past as well as future mistakes, as well as evolving alongside the design and development of new technologies, especially cloud computing.

However, the fact that it is not mandatory is often missed by many businesses who are being told that encryption is an obligation and are themselves being misled and finding themselves the subject of the hard sell of encryption software solutions. Despite the fact there is no strict requirement for the use of encryption data protection, using it is a good idea as the future of data protection, GDPR Compliance, and ePrivacy will evolve and be developed further on an ad hoc or case by case basis as and when breaches occur and new technologies develop.

Ergo, encryption has to be deemed an important weapon against security breaches as essential advancements in data protection grow alongside. Looking at what is actually stated (albeit on only four occasions) for GDPR Compliance about encryption, is as follows in their provisions:

“In order to maintain security and to prevent processing in infringement of this Regulation, the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption”.

Pseudonymisation

Businesses wishing to store or manage data in any way are now subject to very strict control thanks to the GDPR, it being the most comprehensive overhaul of privacy legislation in EU history. It has a far-reaching impact on all businesses and industries, from banks and hospitals to corner shops and fitness centres, all of which must ensure their businesses are as according to GDPR Compliance.

There are a number of ways to protect not only your customers, employees, and any third party private information you hold, but also your business from huge penalties.

Pseudonymisation is the replacement of identifiable data such as names and addresses, dates of birth with other data which, although looks similar, does not reveal personal information about a real individual.

Pseudonymisation is very helpful to organisations who wish to collect data for the purpose of surveys and statistics but not specific information about individuals and preventing such organisations from falling foul of the GDPR.

Banks are making particularly good use of this concept. A good example is Dutch bank Rabobank who made good use of pseudonymisation to help it develop a modern payment system using IBM’s cryptography software called “High Assurance Desensitisation Engine”, (The very name of the piece of software should bring peace of mind to organisations who wish to cherish the data of its customers).

In this way, the collection of essential data such as names, dates of births and account numbers using the pseudonymisation method to build payment forms enabled the bank to transform its existing software rather than build new software. IBM’s software works by replacing data with strings of numbers and letters with keys and hashes that behave in a similar way to the original data when running through the bank’s original software.

The Bank holds the only key to the original data, which can be used to regenerate the original data from the hash but is never seen by anyone outside the bank.

Pseudonymisation is a tool that allows companies to process data in such a way that ensure they comply with the GDPR and free them from otherwise strict privacy restrictions that previously would have disallowed the method of data use.

Trusts

Truata, a financial trust company set up by IBM and Mastercard acts as a conduit for third-party businesses who wish to analyse and establish that they conform to GDPR compliance

A report by Solix has revealed that less than 50% of firms are not sure if they were GDPR Compliance prior to May 25th 2018. With data being an integral component of most businesses and the key to successful marketing and advertising, it is important that there is an element of control, more so than mere ad blockers!

Truata, therefore, has set itself up as an independent compliance analytical provision entity and is receiving some interest from mainly larger companies. The way in which it works for clients is that an online company may pass its customer list to Truata, firstly anonymising the list using IBM technology so that the list may then be stored and analysed by Truata.

There are a number of options with regards analytical reporting of the data, including Truata analytical front-end tools or an interface, which allows the client to carry out the analytics themselves. Other options include requesting algorithms or model codes to be used alongside the client’s own tools for analysing data.

There have been speculations about moving data outside the parameters of an organisation, thus risking privacy breaches, and the very antithesis of the GDPR, but IBM is keen to expel these reactions by emphasising that the trust acts with utmost security in mind and stresses that it conforms to the guidelines set down by the Article 29 Working Party.

Pseudonymisation is a tool that allows companies to process data in such a way that ensure they comply with the GDPR and free them from otherwise strict privacy restrictions that previously would have disallowed the method of data use.

Data-at-Rest, including data in storage, archives, reference files, files stored on hard drives, servers, storage area networks, or files on backup service providers that are off-site. Encryption would need to apply to all access and control, wherever the data is held.

Data-in-Motion, including email or any types of transportation of data, encryption is necessary to that all data that traverses across different networks is heavily protected preventing data from being heard, seen, or intercepted.

In addition to protection by encryption, there has to be in place a strong element of management to protect not just the encrypted data, but to prevent any unauthorised retention of data in line with the individual’s legal rights to have data completely erased and “forgotten”

Businesses will also be required to substantiate the legitimate identity and activity of an individual and verify that the organisation has strict security controls in place in line with the GDPR Compliance management requirements.

Articles 5, 25 and 32 of the GDPR clarify that only authorised users may access data and only when appropriate. For GDPR Compliance, it is expected that businesses to be fully in control of any data that is held or processed and that the data is accurate.

Businesses are urged to ensure that data is maintained in an illegible state, and encryption is one way to ensure this. The GDPR Compliance requirements can be met by this simple method of control, which prevents identifying individuals through data. In addition, the manipulation of data is prevented by encryption when properly used.

Multi-Factor Authentication

Further security methods recommended for GDPR Compliance for your organisation is that of the “multi-factor authentication” method, or “MFA”. Already very popular with applications such as Facebook and Google, and is sometimes referred to as the “two-step verification”. Proponents of this MFA method of identification argue that by doing away with single password verification, online fraud and identity theft is greatly reduced. There is no denying that MFA is far more superior when it comes to security.

However, some companies do not like the fact that it may be deemed as an arduous burden from the point of view of the end user albeit there are flexible and adaptable solutions such as biometric authentication methods, which do not compromise business activities.

Biometric Authentication

Biometric authentication allows for an individual’s identity to be authenticated based on specific data unique to that individual. It is estimated that almost 90% of firms will be using biometrics by 2020, according to a recent survey by Spiceworks.

The new trend in this ever increasing and sophisticated method of authenticating individuals has caused some controversy, especially in line with the recent launch of Apple iPhone X’s facial recognition functionality. Fundamentally, the question being asked is “Who are you?”

The question then begs, “How will such sensitive and private data be protected”? As such the GDPR has called for even stricter protection of biometric data. Due to its infancy and palpable future advancement, the GDPR has provided a definition that will cover all eventualities for compliance. By defining biometrics in as broad a sense as possible, they are ensuring that this type of data is subject to stringent data processing control and impact assessment control for now and in the future.

After all, the data is very personal; it involves a

A photo of a face

A record of a voice

An image of a fingerprint

This will be compared to the biometric data of a multitude other individuals stored in a database. Very sensitive indeed!

A further category of biometrics is data taken from the collection behaviour rather than physiological. Behaviour data collecting is narrower in terms of logistics, as “behaviour” is not usually unique to one person, and could be attributed to a number of people such as certain gaits, lip motion, typing/keystroke motion.

Any organisations actively using such physiological or behavioural biometric data should look closely and define exactly what data is being processed and to what end. It is important to be proactive and take necessary precautions by putting into place measures to ensure that such processing is justified and that relevant consent and contracts are correctly in place.

Subsequently, any organisation actively or contemplating processing biometric data will need to keep abreast of developments in the future of biometric data to ensure they are up to date in this rapidly developing field of technology. Due to the extreme sensitivity of such data, to ensure ongoing GDPR Compliance, the GDPR has introduced the necessity for data controllers to carry out mandatory and continual privacy impact assessments, to ensure that there is no privacy risk at all to these individuals whose data is held.

This is pertinent for organisations who are continually developing new technologies alongside the use of biometric data. Also where biometric data is collected and used on a large scale and/or in public settings such as the retail or fitness sector where facial recognition is becoming more commonly used. In such circumstances, data controllers will be required to be fully aware of the data processing risks involved and be able to implement tailored measures to ensure any risks are mitigated to the absolute bare minimum.

Showing integrity as a business is important under the GDPR, but also your customers, employees and any other third party data that you hold will be confident that your organization is doing its utmost to protect and cherish the data that you hold on their behalf. This is why GDPR Compliance will continue to be an essential part of your business for the foreseeable future. Get your processes and approaches right now, and everyone benefits, it is important not to “wait and see what happens”.

If your business is not GDPR Compliant, contact GDPR Compliance experts like Seers, who have a team of consultants who can help your business immediately and ensure you comply fully.